The documentation states that mcp.tool.arguments is available at request-time for MCP authorization rules. The code does not support this — arguments are only available in post-request logging/tracing.
Evidence
Documentation claims (request-time)
content/docs/standalone/main/configuration/security/mcp-authz.md:
| Variable |
Type |
Availability |
Description |
mcp.tool.arguments |
map |
Request-time |
The JSON arguments passed to the tool call. |
Example in docs:
mcpAuthorization:
rules:
- 'mcp.tool.name == "fetch" && mcp.tool.arguments.url.startsWith("https://internal.")'Code reality
-
Commit 74f7f33f (author: apexlnc, 25 Mar 2026) — PR #1331 — explicitly states:
"Internally, authz still evaluates the smaller identity-only subset, while post-request logging and tracing evaluate the richer post-response view of the same MCP object."
-
Test in crates/agentgateway/src/http/authorization_tests.rs line 287:
#[test]
fn test_rbac_mcp_context_is_identity_only() {
let mcp = tool_context("server", "increment");
let exec = cel::Executor::new_mcp(req.as_ref(), &mcp);
let expr = cel::Expression::new_strict(
r#"mcp.tool.name == "increment" && !has(mcp.tool.arguments)"#,
).unwrap();
assert!(exec.eval_bool(&expr)); // arguments NOT present during authz
}
-
Architecture doc (https://github.com/agentgateway/agentgateway/blob/main/architecture/cel.md):
"Request-time authorization keeps the mcp context identity-only, so those payload fields are absent during RBAC evaluation."
-
Code flow (crates/agentgateway/src/mcp/session.rs lines 420-440):
Arguments are captured only for logging (capture_call_arguments), but ResourceType::Tool passed to policies.validate() contains only target and name.
Impact
Users who configure mcpAuthorization rules referencing mcp.tool.arguments will get a runtime error or silent failure, since the field is not populated during authorization.
Suggested Fix
Either update the documentation to mark mcp.tool.arguments as post-request only, or extend the authorization system to include tool arguments in the CEL context.
The documentation states that
mcp.tool.argumentsis available at request-time for MCP authorization rules. The code does not support this — arguments are only available in post-request logging/tracing.Evidence
Documentation claims (request-time)
content/docs/standalone/main/configuration/security/mcp-authz.md:mcp.tool.argumentsmapExample in docs:
Code reality
Commit
74f7f33f(author: apexlnc, 25 Mar 2026) — PR #1331 — explicitly states:Test in
crates/agentgateway/src/http/authorization_tests.rsline 287:Architecture doc (https://github.com/agentgateway/agentgateway/blob/main/architecture/cel.md):
Code flow (
crates/agentgateway/src/mcp/session.rslines 420-440):Arguments are captured only for logging (
capture_call_arguments), butResourceType::Toolpassed topolicies.validate()contains onlytargetandname.Impact
Users who configure
mcpAuthorizationrules referencingmcp.tool.argumentswill get a runtime error or silent failure, since the field is not populated during authorization.Suggested Fix
Either update the documentation to mark
mcp.tool.argumentsas post-request only, or extend the authorization system to include tool arguments in the CEL context.